diff options
| author | Silvino <silvino@bk.ru> | 2019-06-12 23:51:18 +0000 |
|---|---|---|
| committer | Silvino <silvino@bk.ru> | 2019-06-12 23:51:18 +0000 |
| commit | 4cfdf53921842b1b59fa5fd77777fb6065f6e977 (patch) | |
| tree | ada3f041b90304b9de8c5c9b249c9bd999bbdf0b /core/apparmor.html | |
| parent | d0caaf447c7aef7bd329e7d1a99fb127c658f784 (diff) | |
| download | doc-4cfdf53921842b1b59fa5fd77777fb6065f6e977.tar.gz | |
apparmor added profiles
Diffstat (limited to 'core/apparmor.html')
| -rw-r--r-- | core/apparmor.html | 51 |
1 files changed, 47 insertions, 4 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 5c9b541..0052a68 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -11,7 +11,7 @@ <h1>2.6.1. AppArmor</h1> <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port + use the provided with <a href="reboot.html#linux">linux-gnu</a> port to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;</p> @@ -48,7 +48,20 @@ aa-decode aa-exec aa-remove-unknown </pre> - <p>apparmor_parser options;</p> + <h2 id="profiles">Profiles</h2> + + <p>Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing; + + <pre> + # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ + # sudo rm /etc/apparmor.d/README + # bash /etc/rc.d/apparmor restart + </pre> + + <p>Profiles are parsed using + apparmor_parser;</p> <pre> Usage: apparmor_parser [options] [profile] @@ -93,11 +106,41 @@ --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel --warn n Enable warnings (see --help=warn) </pre> - # + + <h3 id="auto_profiles">Create profile with audit</h3> + + <h3 id="man_profiles">Create profile manually</h3> + + <p>To create a new profile, let's say for lynx, + first find where the application is;</p> + + <pre> + $ whereis lynx + lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz + </pre> + + <p>Now create a file with path to executable in + /etc/apparmor.d;</p> + + <pre> + # vim /etc/apparmor.d/usr.bin.lynx + </pre> + + <p>Create basic profile template;</p> + + <pre> + #include <tunables/global> + + profile lynx /usr/bin/lynx { + #include <abstractions/base> + } + </pre> + + <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |